Puppet 3.1.1 is now available. 3.1.1 addresses several security
vulnerabilities discovered in the 3.x line of Puppet. These
vulnerabilities have been assigned Mitre CVE numbers CVE-2013-1640,
CVE-2013-1652, CVE-2013-1653, CVE-2013-1654, CVE-2013-1655 and
CVE-2013-2275.
All users of Puppet 3.1.0 and earlier are strongly encouraged to
upgrade to 3.1.1.
For more information on these vulnerabilities, please visit
http://puppetlabs.com/security, or visit
http://puppetlabs.com/security/cve/cve-2013-1640,
http://puppetlabs.com/security/cve/cve-2013-1652,
http://puppetlabs.com/security/cve/cve-2013-1653,
http://puppetlabs.com/security/cve/cve-2013-1654,
http://puppetlabs.com/security/cve/cve-2013-1655, and
http://puppetlabs.com/security/cve/cve-2013-2275.
Downloads are available at:
* Source
https://downloads.puppetlabs.com/puppet/puppet-3.1.1.tar.gz
Windows package is available at
https://downloads.puppetlabs.com/windows/puppet-3.1.1.msi
RPMs are available at
https://yum.puppetlabs.com/el or /fedora
Debs are available at
https://apt.puppetlabs.com
Mac package is available at
https://downloads.puppetlabs.com/mac/puppet-3.1.1.dmg
Gems are available via rubygems at
https://rubygems.org/downloads/puppet-3.1.1.gem or by using `gem
install puppet --version=3.1.1`
See the Verifying Puppet Download section at:
https://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet
Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 3.1.1:
http://projects.puppetlabs.com/projects/puppet/
## Changelog ##
Andrew Parker (3):
3b0178f (#14093) Cleanup tests for template functionality
4ca17d9 (#14093) Remove unsafe attributes from TemplateWrapper
f1d0731 (#14093) Restore access to the filename in the template
Jeff McCune (2):
52be043 (#19151) Reject SSLv2 SSL handshakes and ciphers
b9023b0 (#19531) (CVE-2013-2275) Only allow report save from the
node matching the certname
Josh Cooper (7):
f63ed48 Fix module tool acceptance test
c42e608 Run openssl from windows when trying to downgrade master
8d199b2 Remove unnecessary rubygems require
3e493e1 Don't assume puppetbindir is defined
166bf79 Display SSL messages so we can match our regex
0328aaf Don't require openssl client to return 0 on failure
406725d Don't assume master supports SSLv2
Justin Stoller (6):
cb607d9 Acceptance tests for CVEs 2013 (1640, 1652, 1653, 1654,
2274, 2275)
611b12d Separate tests for same CVEs into separate files
f6e1987 We can ( and should ) use grep instead of grep -E
672af80 add quotes around paths for windows interop
28d80f0 remove tests that do not run on 3.1+
b87b719 run curl against the master on the master
Moses Mendoza (1):
6c3dd98 Update PUPPETVERSION for 3.1.1
Nick Lewis (3):
940594b (#19393) Safely load YAML from the network
7da9559 Always read request body when using Rack
8f82131 Fix order-dependent test failure in network/authorization_spec
Patrick Carlisle (3):
eef6d38 (#19391) (CVE-2013-1652) Disallow use_node compiler
parameter for remote requests
f877cf5 (#19392) (CVE-2013-1653) Validate instances passed to indirector
eb71909 (#19392) Don't validate key for certificate_status
Pieter van de Bruggen (1):
f6dbe99 Updating module tool acceptance tests with new expectations.